Friday, July 10th, 2009, I received 3 emails. 1 at 2:25pm, another at 3:00pm and the 3rd at 3:25pm.
They were for the same computer, a risk event.
Adware.Lop is named in 2 of them, I got a "quarantined" and a "details pending" among them.
I've tried to find this event in the logs, NOTHING.
I've tried to create a report on all risks for the month of July - it's not there!
Here's the 3 emails - note it's the same computer in all 3, the same IP address in all 3 and in fact the user CALLED US to report the alerts on her screen (both SEP and a phony AV report on how her computer was infected and at risk):
--------------------------------
Message from:
Server name: VRDSMSEP1
Server IP: 165.206.190.54
At least one security risk found:
Risk name: Adware.Lop
Event time: 2009-07-10 19:21:14 GMT
Database insert time: 2009-07-10 19:24:20 GMT
User: Denise.xxxxx
Computer: VR093240VT6H570
IP Address: 10.252.xx.xx
Domain: IVRS-SEP1
Server: VRDSMSEP2
Client Group: My Company\Client Computers\Desktop Action taken on risk: Access denied
---------------------------------
Message from:
Server name: VRDSMSEP1
Server IP: 165.206.190.54
At least one security risk found:
Risk name: Downloader
Event time: 2009-07-10 19:52:25 GMT
Database insert time: 2009-07-10 20:00:01 GMT
User: SYSTEM
Computer: VR093240VT6H570
IP Address: 10.252.xx.xx
Domain: IVRS-SEP1
Server: VRDSMSEP2
Client Group: My Company\Client Computers\Desktop Action taken on risk: Quarantined
------------------------------------
Message from:
Server name: VRDSMSEP1
Server IP: 165.206.190.54
At least one security risk found:
Risk name: Adware.Lop
Event time: 2009-07-10 19:29:33 GMT
Database insert time: 2009-07-10 19:32:01 GMT
User: SYSTEM
Computer: VR093240VT6H570
IP Address: 10.252.xx.xx
Domain: IVRS-SEP1
Server: VRDSMSEP2
Client Group: My Company\Client Computers\Desktop Action taken on risk: Details pending
--------------------------------
WHERE in the logs or a report do I search to find the details on this - I'd like to find the FILES that it says were at risk and so on..........
Why was this not logged?
Why is logging so complex and shallow?
And why are ports simply PIE CHARTS and not actual information?
All that aside, I need to show the LOGS to prove to management that this WAS infected, and THESE are the files proving it was WEB BASED.
Bottom line - why no log entries for this infection???